b'                   U.S. Department of Agriculture\n\n                      Office of Inspector General\n                       Financial & IT Operations\n\n\n\n\n        Audit Report\n\nFiscal Year 2004 \xe2\x80\x93 Review of the\n    National Finance Center\n        General Controls\n\n\n\n\n                         Report No. 11401-20-FM\n                                   October 2004\n\x0c\x0cExecutive Summary\nFiscal Year 2004 - Review of the National Finance Center General Controls\n\nResults in Brief     This report presents the results of our review of the internal controls at the\n                     Office of the Chief Financial Officer/National Finance Center (OCFO/NFC)\n                     as of June 30, 2004. While the center has taken significant corrective\n                     actions during the fiscal year, the report contains a qualified opinion on the\n                     internal control structure because certain control policies and procedures, as\n                     described in the report, were not suitably designed, and/or operating\n                     effectively at the time of our review.\n\n                     Our objectives were to perform testing necessary to express an opinion about\n                     (1) whether the control objectives and techniques in exhibit A for the U.S.\n                     Department of Agriculture\xe2\x80\x99s OCFO/NFC present fairly, in all material\n                     respects, the aspects of the OCFO/NFC policies and procedures in place and\n                     operating effectiveness during the period October 1, 2003, through June 30,\n                     2004, (2) whether this control structure of policies and procedures was\n                     suitably designed to provide reasonable assurance that the specified control\n                     objectives were complied with satisfactorily, and (3) the operating\n                     effectiveness of the specified control structure policies and procedures in\n                     achieving specified control objectives.\n\n                     Our audit disclosed that, except for the matters referred to below, the control\n                     objectives and techniques identified in exhibit A present fairly, in all\n                     material respects, the relevant aspects of OCFO/NFC. Also, in our opinion,\n                     except for the deficiencies described below, the policies and procedures, as\n                     described, are suitably designed to provide reasonable assurance that the\n                     remaining control objectives would be achieved if the described policies and\n                     procedures were complied with satisfactorily.\n\n                     OCFO/NFC has made significant improvements to ensure compliance with\n                     Federal regulations is achieved; however, we found that OCFO/NFC had not\n                     completed certification and accreditation of its major applications and\n                     general support systems. We found that OCFO/NFC had not updated its\n                     directive and functional statements to clearly define security responsibilities\n                     after its 2002 reorganization. Further, OCFO/NFC had not completed all\n                     required background investigations for individuals in high-risk positions.\n                     OCFO/NFC has continued to make progress in these areas and completed its\n                     certification and accreditation by September 30, 2004, in accordance with\n                     departmental guidance. OCFO/NFC plans to initiate a review to evaluate\n                     security responsibilities, and continue obtaining security clearance as funds\n                     permit. Without clearly defined security responsibilities, and adequate\n                     background investigations, OCFO/NFC will not be adequately assured that\n                     its security management structure is operating effectively; and thus putting\n                     its critical resources at increased risk of loss, misuse, and improper\n                     modification.\n\nUSDA/OIG-A/11401-20-FM                                                                       Page i\n\x0c                   We found OCFO/NFC personnel and some of its clients had access to critical\n                   payroll and personnel applications that exceeded what was required to\n                   perform their job functions. In some instances, the access provided also\n                   violated separation of duty controls. We also determined that OCFO/NFC\n                   was not adequately ensuring that access to sensitive client information that\n                   was extracted from these systems was adequately protected from\n                   unauthorized disclosure. This occurred because OCFO/NFC had not\n                   adequately restricted access based on job responsibilities or complied with its\n                   prescribed guidance to monitor access for all its employees and external\n                   users. As a result, OCFO/NFC systems are at an increased risk of inadvertent\n                   or deliberate misuse without detection.\n\n                   We also found that OCFO/NFC had not ensured that modems on its network\n                   were adequately tracked or properly secured, that its firewall configurations\n                   were appropriately maintained, or that logs were periodically reviewed on its\n                   Web and Unix servers. This occurred because OCFO/NFC had not\n                   established adequate controls or complied with its own guidelines to monitor\n                   and secure these critical network resources. As a result, OCFO/NFC\xe2\x80\x99s\n                   network is at unnecessary risk of intrusion and unauthorized access that may\n                   not be detected in a timely manner.\n\n                   Finally, despite prior recommendations, we found that OCFO/NFC needed to\n                   strengthen its controls over application changes. Although NFC was\n                   documenting application software change requests and approvals, we found\n                   that OCFO/NFC needed to ensure that it (1) completes documentation of\n                   application change testing, (2) performs user acceptance testing on mandated\n                   application software changes, (3) obtains users\xe2\x80\x99 approval of application\n                   software requirements, and (4) notifies users of emergency changes for\n                   subsequent review. These occurred because OCFO/NFC was not adequately\n                   enforcing its established guidance. Until these issues are addressed,\n                   OCFO/NFC will face increased risk that application software changes may\n                   not meet user needs, not operate as intended, or cause unforeseen adverse\n                   impacts on the application.\n\n                   We believe that the internal control weaknesses discussed in this report\n                   constitute a material weakness, taken as a whole, and should be reported in\n                   OCFO\xe2\x80\x99s Federal Managers\xe2\x80\x99 Financial Integrity Act until corrected.\n\nRecommendations\nIn Brief           OCFO/NFC is in the process of implementing significant actions to correct\n                   the weaknesses we identified in this report and based on prior Office of\n                   Inspector General recommendations. Therefore, we make no additional\n                   recommendations on outstanding issues.        However, we have made\n                   recommendations for OCFO/NFC to:\n\n\n\nUSDA/OIG-A/11401-20-FM                                                                    Page ii\n\x0c                     \xe2\x80\xa2   Update its functional statements, management directives, and any\n                         applicable procedures to clearly define and delineate separation of\n                         security functions;\n\n                     \xe2\x80\xa2   document and implement access profiles based on job responsibilities\n                         and separation of duties principles, and establish a process to\n                         periodically review user access to ensure that it remains consistent with\n                         job functions and separation of duties principles;\n\n                     \xe2\x80\xa2   document adequate justification and develop effective compensating\n                         controls for those branches that require update access to applications\n                         that violate separation of duty controls;\n\n                     \xe2\x80\xa2   identify modem phone lines during business hours, expand current\n                         procedures to ensure that the modems identified are adequately\n                         secured, survey its organizations to identify modems that are currently\n                         in use and authorized and update the database accordingly, and\n                         establish a process to annually verify that faxes/modems are still\n                         needed;\n\n                     \xe2\x80\xa2   document the current firewall configuration, establish a formal\n                         configuration change management process for the firewall, and begin\n                         performing periodic reviews of the firewall configuration;\n\n                     \xe2\x80\xa2   develop a process to ensure that adequate testing has been performed\n                         and properly documented by the development organization before its\n                         approving official signs change requests; and\n\n                     \xe2\x80\xa2   establish controls to ensure that acceptance testing is performed or a\n                         waiver is obtained prior to implementation for all mandated changes.\n\nAgency Response    OCFO agreed with the findings and recommendations and will provide a\n                   specific response to the recommendations under separate cover.\n\n\n\n\nUSDA/OIG-A/11401-20-FM                                                                    Page iii\n\x0cAbbreviations Used in This Report\n\nADP          Automated Data Processing\nCIO          Chief Information Officer\nCSS          Cyber Security Staff\nDR           Departmental Regulation\nFIPS         Federal Information Processing Standards\nFISCAM       Federal Information System Controls Audit Manual\nFISMA        Federal Information Security Management Act\nGAO          Government Accountability Office\nHSPD         Homeland Security Presidential Directive\nID           Identification\nIDP          Individual Development Plans\nISSPM        Information Systems Security Program Manager\nIT           Information Technology\nMOU          Memorandum of Understandings\nNFC          National Finance Center\nNIST         National Institute of Standards and Technology\nOCFO         Office of the Chief Financial Officer\nOMB          Office of Management and Budget\nOPM          Office of Personnel Management\nSP           Special Publication\nT&A          Time and Attendance\nUSDA         U.S. Department of Agriculture\n\n\n\n\nUSDA/OIG-A/11401-20-FM                                          Page iv\n\x0cTable of Contents\n\nExecutive Summary .................................................................................................................................i\n\nAbbreviations Used in This Report ......................................................................................................iv\n\nBackground and Objectives ................................................................................................................... 1\n\nReport of the Office of Inspector General ............................................................................................ 3\n\nFindings and Recommendations............................................................................................................ 5\n\n    Section 1. Security Program Management and Compliance ...................................................... 5\n\n        Finding 1             Further Actions are Needed to Ensure Compliance with Federal Regulations\n                              and to Strengthen its Security Management Structure ............................................ 5\n                                  Recommendation No. 1.................................................................................... 8\n\n    Section 2. Mainframe and Network Access Controls ................................................................... 9\n\n        Finding 2             Access Controls to Payroll/Personnel Applications and Sensitive Data\n                              Requires Improvement ............................................................................................ 9\n                                 Recommendation No. 2.................................................................................. 11\n                                 Recommendation No. 3.................................................................................. 12\n                                 Recommendation No. 4.................................................................................. 12\n                                 Recommendation No. 5.................................................................................. 12\n        Finding 3             Network Security and Monitoring Efforts Need Improvement............................. 12\n                                 Recommendation No. 6.................................................................................. 15\n                                 Recommendation No. 7.................................................................................. 15\n                                 Recommendation No. 8.................................................................................. 15\n\n    Section 3. Application Software Change Controls ...................................................................... 16\n\n        Finding 4   Application Software Change Controls Need Improvement................................. 16\n                        Recommendation No. 9.................................................................................. 18\n                        Recommendation No. 10................................................................................ 18\n                        Recommendation No. 11................................................................................ 18\nExhibit A \xe2\x80\x93 Office of Inspector General, Review of Selected Controls............................................ 19\n\n\n\n\nUSDA/OIG-A/11401-20-FM                                                                                                                    Page v\n\x0cBackground and Objectives\nBackground                       The National Finance Center (NFC), located in New Orleans, Louisiana, is\n                                 operated by the U.S. Department of Agriculture\xe2\x80\x99s (USDA) Office of the\n                                 Chief Financial Officer (OCFO). The center operates administrative and\n                                 financial systems that support the missions of USDA and other Federal\n                                 Departments. Most importantly, the center is responsible for developing and\n                                 operating the Payroll/Personnel System. In fiscal year 2003, OCFO/NFC\n                                 processed more than $66.9 billion in disbursements and collections for\n                                 USDA and its other customers.\n\n                                 OCFO/NFC uses two mainframe computers with the z/OS operating system\n                                 and other system software1 to establish and control the environment in which\n                                 the administrative and financial applications are processed. The center also\n                                 relies on a nationwide telecommunication network that links computer\n                                 hardware at remote locations to the OCFO/NFC mainframe computers.\n\n                                 Information security has become increasingly important as computer\n                                 technology has advanced and Federal agencies have become more dependent\n                                 on computerized information systems to carry out their operations and to\n                                 process, maintain, and report essential information. Homeland Security\n                                 Presidential Directive (HSPD) \xe2\x80\x93 7, \xe2\x80\x9cCritical Infrastructure Identification,\n                                 Prioritization, and Protection,\xe2\x80\x9d dated December 17, 2003,2 requires agencies\n                                 to identify, prioritize, assess, remediate, and protect their internal critical\n                                 infrastructure and key resources, and places particular emphasis on\n                                 information technology (IT) systems. On December 17, 2002, the President\n                                 signed into law the E-Government Act (P.L. 107-347), which includes Title\n                                 III, the Federal Information Security Management Act. The Act requires\n                                 each Federal agency to develop, document, and implement agency-wide\n                                 information security programs to protect the information and information\n                                 systems that support the operations and assets of the agency.\n\n                                 To assist auditors in evaluating the effectiveness of information system\n                                 controls, the Government Accountability Office issued the Federal\n                                 Information System Controls Audit Manual (FISCAM) in January 1999.\n                                 This manual describes computer-related controls that auditors should\n                                 consider when assessing the integrity, confidentiality, and availability of\n                                 computerized data and includes a methodology for assessing these controls.\n                                 FISCAM describes six major categories of computer-related general controls\n\n1\n  Generally, one set of system software is used to support and control all of the applications that are processed on a particular computer\nsystem. System software helps control and coordinate input, processing, output, and data storage associated with all of the applications\nthat run on a computer system. Some system software can change data and program code on files without leaving an audit trail or can be\nused to modify or delete audit trails. Examples of system software include the operating system, system utilities, file maintenance\nsoftware, security software, data communications systems, and database management systems.\n2\n  HSPD-7 supersedes Presidential Decision Directive 63, \xe2\x80\x9cPolicy on Critical Infrastructure Protection,\xe2\x80\x9d dated May 22, 1998.\nUSDA/OIG-A/11401-20-FM                                                                                                          Page 1\n\x0c                   that create the environment in which application systems and controls\n                   operate.\n\n                      \xe2\x80\xa2   Entity-wide security program planning and management controls\n                          provide a framework and continuing cycle of activity for managing\n                          risk, developing security policies, assigning responsibilities, and\n                          monitoring the adequacy of the organization\xe2\x80\x99s computer-related\n                          controls.\n\n                      \xe2\x80\xa2   Access controls are used to limit or detect access to computer\n                          resources (data, programs, equipment, and facilities) and, thereby,\n                          protect these resources against unauthorized modification, loss, and\n                          disclosure.\n\n                      \xe2\x80\xa2   System software controls limit and monitor access to the powerful\n                          programs and sensitive files that control the computer hardware and\n                          secure applications supported by the system.\n\n                      \xe2\x80\xa2   Segregation of duties controls include the policies, procedures, and\n                          organizational structure established to prevent one individual from\n                          controlling key aspects of computer-related operations that could be\n                          used to conduct unauthorized actions or gain unauthorized access to\n                          assets or records.\n\n                      \xe2\x80\xa2   Application software development and change controls prevent\n                          unauthorized programs or modifications to existing programs from\n                          being implemented.\n\n                      \xe2\x80\xa2   Service continuity controls ensure that, when unexpected events\n                          occur, critical operations continue without interruption or are\n                          promptly resumed and critical and sensitive data are protected.\n\nObjectives         Our overall objective was to obtain reasonable assurance about whether the\n                   internal control structure of the OCFO/NFC is suitably designed to protect\n                   the integrity of the data processed at the OCFO/NFC. More specifically, we\n                   performed testing necessary to express an opinion about (1) whether the\n                   control objectives and techniques in exhibit A for OCFO/NFC present fairly,\n                   in all material respects, the aspects of the OCFO/NFC policies and\n                   procedures in place and operating effectiveness, as of June 30, 2004, (2)\n                   whether this control structure of policies and procedures was suitably\n                   designed to provide reasonable assurance that the specified control objectives\n                   were complied with satisfactorily, and (3) the operating effectiveness of the\n                   specified control structure policies and procedures in achieving specified\n                   control objectives.\n\n\n\n\nUSDA/OIG-A/11401-20-FM                                                                    Page 2\n\x0c                  UNITED STATES DEPARTMENT OF AGRICULTURE\n\n                                      OFFICE OF INSPECTOR GENERAL\n\n                                           Washington D.C. 20250\n\n\n\n\nReport of the Office of Inspector General\nTO:    Patricia E. Healy\n       Acting Chief Financial Officer\n       U.S. Department of Agriculture\n\nWe have examined the control objectives and techniques identified in exhibit A for the U.S.\nDepartment of Agriculture\xe2\x80\x99s (USDA), Office of the Chief Financial Officer/National Finance Center\n(OCFO/NFC). Our examination included procedures to obtain reasonable assurance about (1) whether\nthe control objectives and techniques of the OCFO/NFC present fairly, in all material respects, the\naspects of the OCFO/NFC\xe2\x80\x99s policies and procedures in place and operating effectiveness during the\nperiod October 1, 2003, through June 30, 2004, (2) whether the control structure of policies and\nprocedures was suitably designed to provide reasonable assurance that the specified control objectives\nwere complied with satisfactorily, and (3) the operating effectiveness of the specified control structure\npolicies and procedures in achieving specified control objectives. The control objectives were\nspecified by OCFO/NFC.\n\nOur audit was conducted in accordance with \xe2\x80\x9cGovernment Auditing Standards\xe2\x80\x9d issued by the\nComptroller General of the United States and standards issued by the American Institute of Certified\nPublic Accountants and included those procedures we considered necessary to obtain a reasonable\nbasis for rendering our opinion.\n\nWhile OCFO/NFC has made significant progress in fiscal year 2004, most notably in the security of its\ninformation technology (IT) systems, our audit disclosed that further improvements are needed.\nSpecifically, OCFO/NFC needs to ensure that security responsibilities are clearly defined, and required\nbackground investigations are conducted. We also noted that improvements are needed with general\nnetwork security, access controls, and application change controls. Until these security areas are\naddressed, OCFO/NFC faces an increased risk of exposing its systems to improper access.\n\nIn our opinion, except for the matters referred to above, the control objectives and techniques\nidentified in exhibit A of this report present fairly, in all material respects, the relevant aspects of\nOCFO/NFC. Also, in our opinion, except for the matters referred to above, the policies and\nprocedures, as described, were suitably designed to provide reasonable assurance that the remaining\ncontrol objectives would be achieved if the described policies and procedures were complied with\nsatisfactorily.\n\nAlso, in our opinion, except for the matters referred to above, the policies and procedures that were\ntested, as described in the exhibit, were operating with sufficient effectiveness to provide reasonable,\nbut not absolute, assurance that the control objectives specified were achieved during the period from\nOctober 1, 2003, through June 30, 2004. The scope of this engagement did not include tests to\n\nUSDA/OIG-A/11401-20-FM                                                                            Page 3\n\x0c\x0cFindings and Recommendations\nSection 1.        Security Program Management and Compliance\n\n\n\n\nFinding 1                       Further Actions are Needed to Ensure Compliance with Federal\n                                Regulations and to Strengthen its Security Management\n                                Structure\n\n                                OCFO/NFC has made significant improvements to comply with Federal\n                                regulations; however, we found that OCFO/NFC had not completed\n                                certification and accreditation of its major applications and general support\n                                systems. Further, we found that OCFO/NFC had not updated its directive\n                                and functional statements to clearly define security responsibilities after its\n                                2002 reorganization. Further, OCFO/NFC had not completed all required\n                                background investigations for individuals in high-risk positions. OCFO/NFC\n                                has continued to make progress in these areas and completed its certification\n                                and accreditation by September 30, 2004, in accordance with departmental\n                                guidance. Finally, OCFO/NFC planned to initiate a review to evaluate\n                                security responsibilities, and continue obtaining security clearances as funds\n                                permit. Without clearly defined security responsibilities, and adequate\n                                background investigations, OCFO/NFC will not be adequately assured that\n                                its security management structure is operating effectively; and thus putting its\n                                critical resources at increased risk of loss, misuse, and improper modification.\n\n                                The Office of Management and Budget (OMB) and the National Institute of\n                                Standards and Technology (NIST) recognize the need for a continuous cycle\n                                of risk-based security management activities to ensure that effective security\n                                controls are established and maintained. This cycle includes (1) assessing\n                                risk; (2) developing security plans based on the results of risk assessments;\n                                (3) testing the effectiveness of security policies, procedures, and controls\n                                (certification); and (4) authorizing information systems\xe2\x80\x99 processing\n                                (accreditation). USDA\xe2\x80\x99s Chief Information Officer (CIO) has issued\n                                guidance for certifying and accrediting systems, which is based on the NIST3\n                                requirement that information systems\xe2\x80\x99 certification and accreditation be\n                                based on risk assessments and security plans.\n\n                                OMB4 also requires that security-related responsibilities of offices and\n                                individuals throughout the entity should be clearly defined to include those of\n                                (1) information resource owners and users, (2) information resources\n\n3\n  NIST Special Publication 800-37, \xe2\x80\x9cGuide for the Security Certification and Accreditation of Federal Information Systems,\xe2\x80\x9d dated May\n2004.\n4\n  OMB Circular A-130, Appendix III, \xe2\x80\x9cSecurity of Federal Automated Information Resources,\xe2\x80\x9d dated November 30, 2000.\nUSDA/OIG-A/11401-20-FM                                                                                                      Page 5\n\x0c                                management and data processing personnel, (3) senior management, and (4)\n                                security administrators.\n\n                                Further, Executive Order No. 10450,5 as amended, established general\n                                requirements that every competitive service position be designated at a risk\n                                level commensurate with the public trust responsibilities of the position, and\n                                be made subject to investigation. In 1998, OCFO/NFC issued its own\n                                directive6 to implement the background investigation requirements.\n\n                                Certification and Accreditation of OCFO/NFC General Support Systems and\n                                Major Applications Not Yet Completed, as of June 30, 2004\n\n                                OCFO/NFC had revised its certification and accreditation process in\n                                accordance with departmental guidelines, completed risk assessments and\n                                security plans for its general support systems and major applications, and\n                                begun to perform certifications of its information systems based on its new\n                                procedures. However, it had not completed the certification and accreditation\n                                of its general support systems and major applications by the end of our\n                                fieldwork. Without the necessary security certifications and accreditations,\n                                OCFO/NFC could not ensure the secure operations of its information\n                                systems; therefore, placing sensitive information at increased risk of loss,\n                                misuse, and improper modification, for the period under review.\n\n                                OCFO/NFC officials informed us that certifications of its general support\n                                systems and major applications were completed by September 30,\n                                2004.Security Responsibilities Not Clearly Defined\n\n                                During fiscal year 2002, OCFO/NFC went through a major reorganization\n                                change and some security responsibilities were transferred within the\n                                organization. However, we noted that OCFO/NFC had not updated certain\n                                procedures to clearly identify security responsibilities and the individuals\n                                who were responsible to perform those security functions. When security\n                                procedures are not updated to clearly delineate separation of security\n                                functions, individuals may misunderstand or improperly implement their\n                                security responsibilities and therefore, controls may be inconsistently applied.\n\n                                Prior to 2002, most security functions at OCFO/NFC were within the\n                                Information Systems Policy and Control Staff (ISPCS). In April 2002,\n                                OCFO/NFC created the Cyber Security Staff (CSS) to provide overall\n                                security guidance and oversight. OCFO/NFC transferred some of the\n                                functions such as disaster recovery and security awareness from ISPCS to\n                                CSS, while other functions such as preparing security plans and risk\n                                assessments were transferred to system owners. However, we found that\n\n5\n Executive Order No. 10450, \xe2\x80\x9cSecurity Requirements for Government Employment,\xe2\x80\x9d signed April 27, 1953.\n6\n Title VII, Chapter 14, Directive 7, \xe2\x80\x9cRisk Levels, Position Sensitivity Descriptions, and Background Investigations for OCFO/NFC and\nContractor Personnel\xe2\x80\x9d\nUSDA/OIG-A/11401-20-FM                                                                                                     Page 6\n\x0c                                 security responsibilities have not been updated in OCFO/NFC directives,\n                                 functional statements, and service center description to clearly delineate\n                                 separation of security functions.\n\n                                 For example, OCFO/NFC had not updated its directives to move the\n                                 Information Systems Security Project Manager (ISSPM) responsibilities to\n                                 the Chief of CSS. OCFO/NFC management advised us that the ISSPM\n                                 designation was made to the Chief of CSS; however, a position in the\n                                 organization structure has not been created or position description written\n                                 defining the ISSPM.\n\n                                 OCFO/NFC is currently going through another reorganization. Officials\n                                 advised us that they would initiate a review to further clarify security\n                                 responsibilities. OCFO/NFC had already established a team to review the\n                                 functional and organizational changes and develop individual organizational\n                                 responsibilities and accountability. Further OCFO/NFC officials informed us\n                                 that they have requested funding to have an independent assessment of the IT\n                                 security program to determine the best alignment of security functions\n                                 according to industry best practices.\n\n                                 Required Background Investigations Not Obtained\n\n                                 While OCFO/NFC has revised its controls to implement the Office of\n                                 Personnel Management (OPM) requirements for assigning risk levels and\n                                 performing background investigations, we determined that these controls\n                                 were not fully operational. Even though progress has been made, we\n                                 determined that background investigations or reinvestigations within the\n                                 required timeframe have not been completed for 27 high-risk IT specialist\n                                 positions.7 Without the necessary security background investigations and\n                                 reinvestigations, OCFO/NFC faces the risk of exposing its information\n                                 resources to loss or harm that could be caused by these individuals.\n\n                                 We obtained a background investigation status report from OCFO/NFC and\n                                 performed an analysis to determine if progress has been made relating to\n                                 background investigations. We noted that OCFO/NFC had taken some\n                                 corrective actions and reclassified positions such as security administrators,\n                                 system programmers, and application programmers as \xe2\x80\x9chigh-risk.\xe2\x80\x9d In total,\n                                 OCFO/NFC had classified 131 information system positions as high-risk,\n                                 compared to only 13 during our prior audit. However, despite this progress,\n                                 we identified an additional 27 high-risk information system positions that\n                                 either did not have a background investigation or did not have a\n                                 reinvestigation within the required 5-year period.8\n\n7\n Our review was limited to high-risk IT positions (series 2210) in four divisions of OCFO/NFC.\n8\n One of these positions had not had an investigation, and the person had been employed at OCFO/NFC since at least 1990. The other 26\npositions had not had a reinvestigation within the required timeframe; several of these 26 positions had an initial investigation from the\n1970s.\nUSDA/OIG-A/11401-20-FM                                                                                                          Page 7\n\x0c                   OCFO/NFC recently updated its procedures for conducting background\n                   investigations in a timely manner. OCFO/NFC\xe2\x80\x99s goal is to complete as many\n                   reinvestigations as funding would permit.\n\n                   Since we recommended in our prior audit that background investigations be\n                   completed in a timely manner and renewed every 5 years for personnel in\n                   high-risk positions, we are not making further recommendations.\n\nRecommendation No. 1\n\n                   OCFO/NFC should update its functional statements, management directives,\n                   and any applicable procedures to clearly define and delineate separation of\n                   security functions.\n\n\n\n\nUSDA/OIG-A/11401-20-FM                                                                 Page 8\n\x0cSection 2. Mainframe and Network Access Controls\n\n                                    Access controls, such as user identifications (ID) and passwords, protect\n                                    network applications and data against unauthorized access. Network\n                                    administrators should provide only authorized users access to network\n                                    applications and data, and ensure that such access is limited to what is\n                                    needed to perform the user\xe2\x80\x99s job functions. In addition, administrators need\n                                    to ensure that network devices such as modems and firewalls are properly\n                                    configured to ensure that access to network resources is protected against\n                                    unauthorized or malicious access. Without strong access controls, privacy\n                                    and financial data is subject to loss, disclosure, and unauthorized\n                                    modification.\n\n\n\n\nFinding 2                           Access Controls to Payroll/Personnel Applications and Sensitive\n                                    Data Requires Improvement\n\n                                    We found OCFO/NFC personnel and some of its clients had access to\n                                    critical payroll and personnel applications that exceed what was required to\n                                    perform their job functions. In some instances, the access provided also\n                                    violated separation of duty controls. This occurred because OCFO/NFC had\n                                    not adequately restricted access based on job responsibilities or complied\n                                    with its prescribed guidance to monitor access for all its employees and\n                                    external users. We also determined that OCFO/NFC had not adequately\n                                    ensured that access to sensitive client information extracted from these\n                                    systems was adequately protected from unauthorized disclosure.\n                                    Inappropriate access increases the vulnerability of OCFO/NFC applications\n                                    and the payroll/personnel system to fraudulent activity.\n\n                                    OCFO/NFC directives9 state that OCFO/NFC employees should be granted\n                                    access authority only to those resources required to carry out their jobs and\n                                    that the number of employees with authorized access will be limited to the\n                                    minimum number needed to effectively perform the required functions.\n                                    OCFO/NFC directives10 also state that the separation of functions will be\n                                    used as an internal control to guard against personnel having the opportunity\n                                    to commit and/or conceal intentional or unintentional alteration, destroy data\n                                    or software, or view data that is outside the scope of the employees normal\n                                    job assignments. In addition, if the separation of incompatible functions is\n                                    not possible, compensating controls must be used.\n\n\n\n\n9\n    Title VII, Chapter 11, Management Directive No. 27.\n10\n     Title VII, Chapter 11, Directive 40.\nUSDA/OIG-A/11401-20-FM                                                                                     Page 9\n\x0c                                      Access to Payroll and Personnel Applications\n\n                                      We reviewed access reports provided by OCFO/NFC and found the\n                                      following instances where access to payroll and personnel applications was\n                                      not adequately restricted based on job responsibility or separation of duties\n                                      principles:\n\n                                            \xe2\x80\xa2   We found over 60 individuals at OCFO/NFC that had update access\n                                                to critical payroll and personnel systems or data without a related job\n                                                function need. We noted programmers who had access to update\n                                                production data, individuals who retained update access from a\n                                                previous assignment, and individuals who obtained update access that\n                                                only required read access. OCFO/NFC agreed to change all of the\n                                                inappropriate accesses identified during our review.\n\n                                            \xe2\x80\xa2   We identified 68 individuals at OCFO/NFC that had the ability to\n                                                update both payroll and personnel actions, and add positions and\n                                                update tables within the payroll and personnel systems. This access\n                                                could have allowed fraudulent transactions to be processed. Further,\n                                                OCFO/NFC did not have effective compensating controls in place to\n                                                detect possible fraudulent transactions that could have occurred due to\n                                                this level of access. OCFO/NFC officials agreed to review these\n                                                accesses and make changes where possible or implement\n                                                compensating controls.\n\n                                            \xe2\x80\xa2   We found users external to OCFO/NFC that had update access to four\n                                                critical payroll and personnel applications. Having update access to\n                                                these applications violates separation of duty controls. On one of its\n                                                critical web-based systems, users both internal and external to\n                                                OCFO/NFC could initiate incompatible transactions within the same\n                                                system.\n\n                                      The above instances could have been avoided if OCFO/NFC had (1)\n                                      adequately maintained access profiles based on job functions and separation\n                                      of duties principles and (2) established an effective mechanism to\n                                      periodically review access granted to employees to ensure that it remains\n                                      consistent with job functions and separation of duties principles.\n                                      OCFO/NFC directives11 state that the OCFO/NFC will produce reports for\n                                      division/staff security coordinators that show the scope of an employee\xe2\x80\x99s\n                                      security access and/or lists of who has access to specific data and that the\n                                      division/staff security coordinators will distribute monthly access\n                                      authorization reports to the appropriate branch chiefs.           Currently,\n                                      OCFO/NFC does not periodically distribute reports of applications access,\n                                      and based on our review, branch chiefs were not reviewing applications\n11\n     Title VII, Chapter 11, Directive 40.\nUSDA/OIG-A/11401-20-FM                                                                                        Page 10\n\x0c                   access on a periodic basis. OCFO/NFC informed us that the ultimate\n                   solution to this problem might lie in the reengineering of OCFO/NFC access\n                   administration profiles into a role-based process.\n\n                   Access to Other Sensitive Data\n\n                   We also reviewed access to certain sensitive client information that had been\n                   extracted from payroll and personnel applications and found that that\n                   OCFO/NFC had not always adequately protected sensitive information from\n                   unauthorized disclosure.\n\n                   For instance, we found that biweekly download files for one of\n                   OCFO/NFC\xe2\x80\x99s clients that contained sensitive information protected by the\n                   Privacy Act of 1974 had been posted to OCFO/NFC\xe2\x80\x99s Download Center,\n                   which was designed to contain only non-sensitive information.\n                   Consequently, the authentication and monitoring controls over this system\n                   were not adequately designed to protect sensitive information. This\n                   occurred because information posted to the download center was not\n                   controlled and monitored by the system owner.\n\n                   OCFO/NFC informed us that they had removed the sensitive information\n                   from the Download Center and would ensure that the system owner\n                   approves all future information. OCFO/NFC also informed us that they are\n                   also evaluating the access controls over the Download Center.\n\n                   Finally, we also found that sensitive information stored in two libraries used\n                   to share extracted payroll and personnel information between OCFO/NFC\n                   programming and support staff sections and with user organizations was not\n                   adequately protected from unauthorized disclosure. Our review disclosed\n                   that 603 users had access to sensitive information in one of these libraries,\n                   and 424 users had access to sensitive information in the other library. This\n                   occurred because, even though some of the files in these libraries contained\n                   sensitive information protected by the Privacy Act of 1974, access was\n                   generally granted to all files in these libraries regardless of their content.\n\nRecommendation No. 2\n\n                   Document and implement access profiles based on job responsibilities and\n                   separation of duties principles, and establish a process to periodically review\n                   user access to ensure that it remains consistent with job functions and\n                   separation of duties principles.\n\n\n\n\nUSDA/OIG-A/11401-20-FM                                                                   Page 11\n\x0cRecommendation No. 3\n\n                   Document adequate justification and develop effective compensating\n                   controls for those branches that require update access to applications that\n                   violate separation of duty controls.\n\nRecommendation No. 4\n\n                   Establish controls to ensure that the system owner approves data loaded on\n                   the Download Center and access to that data.\n\nRecommendation No. 5\n\n                   Restructure access controls over the libraries used to share information\n                   extracted from OCFO/NFC payroll and personnel systems to provide greater\n                   protection of sensitive information.\n\n\n\n\nFinding 3          Network Security and Monitoring Efforts Need Improvement\n\n                   OCFO/NFC had not ensured that modems on its network were adequately\n                   tracked or properly secured, that its firewall configurations were\n                   appropriately maintained, or that logs were periodically reviewed on its Web\n                   and Unix servers. This occurred because OCFO/NFC had not established\n                   adequate controls or complied with its own guidelines to monitor and secure\n                   these critical network resources. As a result, OCFO/NFC\xe2\x80\x99s network is at\n                   unnecessary risk of intrusion and unauthorized access that may not be\n                   detected in a timely manner.\n\n                   Modem Security\n\n                   OCFO/NFC could not be adequately assured that its modems were properly\n                   secured. This occurred because OCFO/NFC\xe2\x80\x99s policies and procedures for\n                   tracking, detecting, and properly securing modems were inadequate and not\n                   always being followed by personnel. Modems pose a serious security risk\n                   because they provide \xe2\x80\x9cback door\xe2\x80\x9d points of entry into OCFO/NFC\xe2\x80\x99s network\n                   and bypass central protective devices such as the firewall. Potential attackers\n                   can use an unsecured modem to obtain unauthorized access to OCFO/NFC\n                   network and systems.\n\n\n\n\nUSDA/OIG-A/11401-20-FM                                                                   Page 12\n\x0c                             Departmental Regulations (DR)12 require agencies to evaluate security\n                             measures in place on network gateways. Further, OCFO/NFC13 established\n                             its own policy outlining responsibilities and procedures for requesting\n                             telephone lines for phones, fax machines, and modems. This directive\n                             requires a fax or modem request form be submitted for approval along with a\n                             description of how the modem would be secured. This directive also requires\n                             OCFO/NFC to maintain information regarding each request and assignment\n                             of phone numbers in a database, and requires that OCFO/NFC annually\n                             verify that modems are still needed.\n\n                             In 2003, we reported14 that OCFO/NFC had established procedures to\n                             identify active modem lines, but had not evaluated the security measures in\n                             place to ensure that modem phone lines were properly protected. In\n                             response, OCFO/NFC informed us that they had revised existing procedures\n                             to ensure that all modems are identified, properly secured, and reviewed on a\n                             monthly basis. However, since May 2003, OCFO/NFC performed only 2\n                             evaluations. Further, we found that OCFO/NFC revised its procedures to\n                             only identify modems that were available during non-business hours.\n                             Consequently, only 12 modems phone lines were identified in its May/June\n                             2004 evaluation while 76 were identified in its May 2003 evaluation when\n                             business hours were not specifically excluded. Finally, OCFO/NFC had not\n                             instituted a process to ensure that identified modems were properly secured.\n\n                             We also reviewed the results of OCFO/NFC\xe2\x80\x99s evaluations and compared the\n                             results to its database of modems. We verified that OCFO/NFC had properly\n                             secured those modems. While none of the modems we selected had been\n                             improperly secured, we found that 2 of the 12 modem lines identified in one\n                             of its evaluations were not in the modem database. Further, we found\n                             modems in the database that were no longer needed or assigned to staff that\n                             had been relocated, reassigned, retired, or deceased. This occurred because\n                             users were not reporting changes needed to modem lines to the responsible\n                             unit of OCFO/NFC, and OCFO/NFC had not begun its annual review\n                             process. Two of these lines were deleted/disconnected from the phone\n                             system as the result of our inquiry.\n\n                             In addition, we found that OCFO/NFC had not always maintained the proper\n                             authorizations for the modems in its database. We requested authorization\n                             forms for the first 10 modems on the database listing. However, OCFO/NFC\n                             had only three authorizations on file. Officials told us that the remaining\n                             seven were considered as \xe2\x80\x9cgrandfathered-in\xe2\x80\x9d because they were in service\n                             prior to March 2001 when OCFO/NFC issued its telephone and fax/modem\n                             directive.\n\n12\n   DR 3140-1, \xe2\x80\x9cUSDA Information System Security Policy,\xe2\x80\x9d dated May 15, 1996.\n13\n   Management and Administrative Directives Manual, Chapter 12, \xe2\x80\x9cTelecommunications Management,\xe2\x80\x9d Directive 2, \xe2\x80\x9cRequesting\nTelephone and Fax/Modem Lines\xe2\x80\x9d, dated March 5, 2001.\n14\n   Audit Report No. 11401-15-FM, \xe2\x80\x9cFiscal Year National Finance Center Review of Internal Controls,\xe2\x80\x9d dated November 2003.\nUSDA/OIG-A/11401-20-FM                                                                                         Page 13\n\x0c                                Firewall Documentation and Configuration Management Need Improvement\n\n                                OCFO/NFC had not formally documented or adequately maintained support\n                                for its firewall configurations. This occurred because OCFO/NFC had not\n                                implemented a formal configuration management process for its firewalls.\n                                We also identified rules that were no longer needed but remained in the\n                                system because OCFO/NFC was not periodically reviewing its firewall\n                                configurations. As a result, OCFO/NFC does not have adequate assurance\n                                that its firewalls are properly configured.\n\n                                NIST15 and USDA\xe2\x80\x99s CIO16 require that firewall rules be documented and\n                                periodically reviewed to ensure their accuracy. We found that OCFO/NFC\n                                was unable to provide supporting documentation for 15 of 17 firewall system\n                                rules selected for review. We also identified certain firewall rules that were\n                                no longer needed.\n\n                                We also found that OCFO/NFC did not use a formal change control process\n                                for changing firewall rules. Officials informed us that the approval of\n                                changes to the firewall configuration occurs informally through e-mail.\n                                Maintaining supporting documentation in a personal e-mail account is not an\n                                efficient and effective system because generally only the account holder has\n                                access to the documentation, and does not ensure that all the appropriate\n                                personnel are made aware of the change. Without a formal change control\n                                process over its firewalls and conducting periodic reviews, OCFO/NFC\n                                cannot be assured that its firewalls are configured effectively, unnecessarily\n                                putting its network resources at risk of intrusion.\n\n                                OCFO/NFC System Security Monitoring for Webservers and UNIX Servers\n                                Needs Improvement\n\n                                OCFO/NFC had not adequately monitored user activity for security purposes\n                                on Webservers17 and UNIX systems. This occurred because OCFO/NFC did\n                                not have a process in place to perform routine monitoring of these systems.\n                                The lack of a formal monitoring process reduces the possibility that security\n                                incidents involving Webservers or UNIX systems will be detected and\n                                corrected in a timely manner.\n\n                                NIST18 recognizes that routinely monitoring access can help identify\n                                significant problems and deter users from inappropriate and unauthorized\n                                activities. Because the volume of security information is likely to be too\n                                voluminous to review routinely, the most effective monitoring efforts are\n                                those that selectively target specific actions. These automated monitoring\n\n15\n   NIST Special Publication 800-41, \xe2\x80\x9cGuidelines on Firewalls and Firewall Policy,\xe2\x80\x9d dated January 2002.\n16\n   Cyber Security Policy, CS-012, \xe2\x80\x9cGateway and Firewall Technical Security Standards,\xe2\x80\x9d dated January 22, 2002.\n17\n   These servers are the front-end interface servicing user\xe2\x80\x99s web/internet requests. These servers may use database connections to\nbackend database but do not have database residing on them.\n18\n   NIST Special Publication 800-12, \xe2\x80\x9cAn Introduction to Computer Security: The NIST Handbook,\xe2\x80\x9d dated October 1995.\nUSDA/OIG-A/11401-20-FM                                                                                                 Page 14\n\x0c                                   efforts should include provisions to identify and investigate both failed\n                                   attempts to access sensitive data and resources and unusual or suspicious\n                                   patterns of successful access.\n\n                                   Although OCFO/NFC had enabled logging19 on its Web and UNIX systems\n                                   and reviewed those logs as part of a security incident investigation,\n                                   OCFO/NFC officials told us that they had not regularly generated system\n                                   monitoring reports that would reveal suspicious access activity on these\n                                   systems. OCFO/NFC recognized that this lack of monitoring was a security\n                                   weakness and planned to implement monitoring software to correct this\n                                   weakness.\n\nRecommendation No. 6\n\n                                   Resume identifying modem phone lines during business hours, expand\n                                   current procedures to ensure that the modems identified are adequately\n                                   secured, survey its organizations to identify modems that are currently in use\n                                   and authorized and update the database accordingly, and establish a process\n                                   to annually verify that faxes/modems are still needed.\n\nRecommendation No. 7\n\n                                   Document the current firewall configuration, establish a formal configuration\n                                   change management process for the firewall, and perform periodic reviews of\n                                   the firewall configuration.\n\nRecommendation No. 8\n\n                                   Identify sensitive system resources that should be included in its active\n                                   monitoring process; develop, test, and document system reports used in its\n                                   monitoring process; and identify and document the types of unusual activity\n                                   on these reports that should be investigated, for Webservers and UNIX\n                                   systems.\n\n\n\n\n19\n     Recording of events made by a particular software package.\nUSDA/OIG-A/11401-20-FM                                                                                  Page 15\n\x0cSection 3. Application Software Change Controls\n\n\n\n\nFinding 4                      Application Software Change Controls Need Improvement\n\n                              Despite prior recommendations,20 we found that OCFO/NFC needs to\n                              strengthen its controls over application changes. Although NFC was\n                              documenting application software change requests and approvals, we found\n                              that OCFO/NFC needs to ensure that it (1) completes documentation of\n                              application change testing, (2) performs user acceptance testing on mandated\n                              application software changes, (3) obtains users\xe2\x80\x99 approval of application\n                              software requirements, and (4) notifies users of emergency changes for\n                              subsequent review. OCFO/NFC is currently in the process of implementing a\n                              new standardized change management system and process to support\n                              application changes. Despite its own policies to document approval and\n                              testing, OCFO/NFC was not adequately enforcing its established guidance.\n                              Until these issues are addressed, OCFO/NFC will face increased risk that\n                              application software changes may not meet user needs, not operate as\n                              intended, or cause unforeseen adverse impacts on the application.\n\n                              To determine if application software changes were adequately documented,\n                              approved, and tested, we selected 25 of the 1,182 non-emergency changes\n                              and 15 of the 51 emergency changes to applications that were implemented\n                              between October 1, 2003, and March 31, 2004. The following summarizes\n                              the results of our review:\n\n                              Testing of Application Software Changes\n\n                              OCFO/NFC was unable to provide adequate documentation for 16 of the 25\n                              non-emergency changes, and 8 of the 15 emergency changes we reviewed.\n                              Therefore, we could not determine if OCFO/NFC adequately tested\n                              application software changes. OCFO/NFC guidance for application software\n                              testing states that the programmer or project leader of an application change\n                              request must develop test plans and test results to reasonably ensure that\n                              proposed changes would function properly. These test plans and results must\n                              be maintained in the project folder.\n\n                              OCFO/NFC officials informed us that they had begun using a contractor in\n                              one division to develop unit test plans for non-emergency changes to its\n                              payroll applications, and that they would begin enforcing this requirement for\n                              other applications and emergency changes. In addition, OCFO/NFC is in the\n20\n   Audit Report No. 11401-9-FM, \xe2\x80\x9cSelected Information Technology General Controls At The National Finance Center Need\nStrengthening,\xe2\x80\x9d dated March 2002; Audit Report No. 11401-15-FM, \xe2\x80\x9cFiscal Year 2003 National Finance Center Review of Internal\nControls,\xe2\x80\x9d dated November 2003.\nUSDA/OIG-A/11401-20-FM                                                                                            Page 16\n\x0c                                       process of implementing procedures for performing biweekly system testing\n                                       for its payroll and personnel systems.\n                                       Acceptance Testing on Mandated Application Changes\n\n                                       OCFO/NFC officials informed us that acceptance testing was not performed\n                                       for any of the 25 mandated changes that we reviewed. In addition,\n                                       OCFO/NFC had not obtained waivers from users, development/maintenance\n                                       organization, quality assurance staff, or other technical personnel.\n                                       OCFO/NFC officials informed us that most of their systems are on a\n                                       biweekly release schedule, which does not provide enough time to conduct\n                                       formal user acceptance testing. As a result, OCFO/NFC faces increased risks\n                                       that application changes will not meet user requirements or operate as\n                                       intended.\n\n                                       The OCFO/NFC Scheduled Software Maintenance Directive21 states that\n                                       acceptance testing is required for mandated changes unless a waiver is\n                                       approved by the users, development/maintenance organization, the quality\n                                       assurance staff, and other technical personnel after a review of the\n                                       development/maintenance organization\xe2\x80\x99s software testing.         However,\n                                       development organization testing guidance provides conflicting information\n                                       on when acceptance testing is required.\n\n                                       OCFO/NFC informed us that it intends to include customer representatives in\n                                       the system testing in the future.\n\n                                       User Review of Software Requirements and Other Application Changes\n\n                                       We found that OCFO/NFC had documented system requirements for 20 of\n                                       the 25 non-emergency changes that we reviewed, but had not obtained user\n                                       approval of these software requirements for any of these 20 changes. This\n                                       occurred because OCFO/NFC was not complying with its own guidance that\n                                       requires user sign-off on these system requirements. As a result, OCFO/NFC\n                                       cannot be adequately assured that proposed changes meet user requirements.\n\n                                       The NFC\xe2\x80\x99s Application System Life Cycle22 states that any modification,\n                                       reconfiguration, or redevelopment would include user review of functional\n                                       requirements. While OCFO/NFC had developed a template to guide the\n                                       development of software requirements documents, officials stated that\n                                       software requirement documents are at the discretion of the programmer and\n                                       are not required. Each software requirement document must have a sign-off\n                                       sheet, which documents approval by OCFO/NFC officials and a customer\n                                       representative.\n\n\n\n21\n     Title VII, Chapter 11, Directive 47, Scheduled Software Maintenance (Revision 2), November 14, 2003\n22\n     Title VII, Chapter 11, Directive 48, Application System Life Cycle (Revision 2), November 14, 2003\n\nUSDA/OIG-A/11401-20-FM                                                                                     Page 17\n\x0c                   We also found that OCFO/NFC had not established a process to notify the\n                   designated customer representative of emergency changes for subsequent\n                   review. OCFO/NFC officials informed us that they had begun meeting with\n                   the customer representative for one of its systems on a bi-weekly basis to\n                   discuss emergency changes, and would begin a similar process for the other\n                   applications.\n\nRecommendation No. 9\n\n                   Develop a process to ensure that adequate testing has been performed and\n                   properly documented by the development organization before its approving\n                   official signs the change request.\n\nRecommendation No. 10\n\n                   Establish controls to ensure that acceptance testing is performed or a waiver\n                   is obtained prior to implementation for all mandated changes.\n\nRecommendation No. 11\n\n                   Establish controls to ensure that software requirements for application\n                   modifications, reconfigurations, and redevelopments are properly\n                   documented and approved by a customer representative.\n\n\n\n\nUSDA/OIG-A/11401-20-FM                                                                  Page 18\n\x0cExhibit A \xe2\x80\x93 Office of Inspector General, Review of Selected Controls\n                                                                                     Exhibit A \xe2\x80\x93 Page 1 of 13\n\n\nThe objectives of our examination were to perform testing necessary to express an opinion about (1)\nwhether the control objectives and techniques identified in this exhibit present fairly, in all material\nrespects, the aspects of the Office of the Chief Financial Officer (OCFO) National Finance Center\n(OCFO/NFC)\xe2\x80\x99s policies and procedures in place from October 1, 2003, through June 30, 2004, (2)\nwhether the control structure of policies and procedures was suitably designed to provide reasonable\nassurance that the specified control objectives were complied with satisfactorily, and (3) the operating\neffectiveness of the specified control structure policies and procedures in achieving specified control\nobjectives.\n\nThis report is intended to provide users of OCFO/NFC with information about the control structure\npolicies and procedures at OCFO/NFC that may affect the processing of user organizations\xe2\x80\x99\ntransactions and to provide users with information about the operating effectiveness of the policies and\nprocedures that were tested. This report, when combined with an understanding and assessment of the\ninternal control structure policies and procedures at user organizations, is intended to assist user\nauditors in (1) planning the audit of user organizations\xe2\x80\x99 financial statements, and (2) in assessing\ncontrol risk for assertions in user organizations\xe2\x80\x99 financial statements that may be affected by policies\nand procedures at OCFO/NFC.\n\nOur testing of OCFO/NFC\xe2\x80\x99s control structure policies and procedures was restricted to the control\nobjectives and the related policies and procedures listed in the matrices in this exhibit. Our testing was\nnot intended to apply to any other procedures not included in the aforementioned matrices or to\nprocedures that may be in effect at user organizations.\n\nOur review was performed through inquiry of key OCFO/NFC personnel, observation of activities,\nexamination of relevant documentation and procedures, and tests of controls. We also followed up on\nknown control weaknesses identified in prior OIG audits. We performed such tests as we considered\nnecessary to evaluate whether the operating and control procedures described by OCFO/NFC and the\nextent of compliance with them are sufficient to provide reasonable, but not absolute, assurance that\ncontrol objectives are achieved.\n\nThe description of the tests of operating effectiveness and the results of those tests are included in the\nfollowing section of this report.\n\n\n\n\nUSDA/OIG-A/11401-20-FM                                                                             Page 19\n\x0cExhibit A \xe2\x80\x93 Office of Inspector General, Review of Selected Controls\n                                                                                                              Exhibit A \xe2\x80\x93 Page 2 of 13\n\n    Control Objective              Control Techniques                Tests Performed                       Conclusions\n\n\n    1. Ensure the             1. Implement and maintain         Verified that OCFO/NFC had          The control structure policies\n       necessary controls        an effective security          developed risk assessments and      and procedures were suitably\n       are in place to           program by assuring:           security plans for its major        designed to achieve the\n       mitigate and/or           a. Risk assessments are        applications and general            control objective specified,\n       reduce the potential         performed.                  support systems.                    had been placed in operation\n       for fraud, waste,         b. Security plans are                                              and operating effectively,\n       and abuse of IT              developed and               Reviewed the departmental           except as noted below.\n       information assets.          maintained.                 guidelines for certification and\n                                 c. Policies and procedures     accreditation for general\n                                                                                                    OCFO/NFC had revised its\n                                    to reduce risks are         support systems and major\n                                    implemented.                applications.\n                                                                                                    certification and accreditation\n                                 d. Periodic security                                               process in accordance with\n                                    awareness training is       Obtained security awareness         departmental guidelines.\n                                    provided.                   database as of end of fiscal year   However, it had not\n                                 e. Testing and evaluation      2003 and performed analysis to      completed the certification\n                                    of plans, procedures,       determine the number of             and accreditation of its\n                                    and security controls are   employees who did/did not take      general support systems and\n                                    conducted.                  the security awareness training.    major applications for the\n                                 f. Security incident           Reviewed NIST SP 800-18.            period under review. The\n                                    response capability is                                          C&As were completed by\n                                    maintained.                 Reviewed control self               September 30, 2004.\n                                                                assessments for OCFO/NFC            (See Finding No. 1.)\n                                                                business units.\n\n                                                                Interviewed OCFO/NFC\n                                                                officials and reviewed NFC\n                                                                Directives.\n    2. Ensure that                                              Selected a sample of                The control structure policies\n       reimbursement                                            Memorandum of                       and procedures were suitably\n       agreements                                               Understandings (MOU) for two        designed to achieve the control\n       developed between                                        agencies.                           objective specified, had been\n       NFC and user                                                                                 placed in operation and were\n       agencies for                                                                                 operating effectively.\n       provision of\n       services and cost\n       development are\n       accurate.\n    3. Ensure that            a. Develop requirements           Interviewed OCFO/NFC                The control structure policies\n       requirements for          documentation that is in       personnel and reviewed              and procedures were suitably\n       information               compliance with Title          applicable directives and           designed to achieve the control\n       systems are               VII, Chapter 11,               procedures.                         objective specified, had been\n       developed,                Directive 48,                                                      placed in operation and were\n       documented, and           Application System Life        Selected and reviewed               operating effectively, except as\n       maintained and that       Cycle.                         mandated application changes        noted below.\n       they satisfy user      b. Submit requirements            that were implemented between\n       needs.                    package to the user for        October 1, 2003, and March 31,      OCFO/NFC was not obtaining\n                                 feedback and prepare           2004.                               user approval of software\n                                 adjustments to the                                                 requirements. We found that\n                                 package, if necessary.                                             OCFO/NFC had documented\n                              c. Obtain user sign off on                                            system requirements for 20 of\n                                 requirements packages,                                             the 25 non-emergency changes\n                                 when appropriate.                                                  that we reviewed, but had not\n                                                                                                    obtained user approval of these\n                                                                                                    software requirements for any\n                                                                                                    of these 20 changes.\n                                                                                                    (See Finding No. 4.)\n\nUSDA/OIG-A/11401-20-FM                                                                                                         Page 20\n\x0cExhibit A \xe2\x80\x93 Office of Inspector General, Review of Selected Controls\n                                                                                                        Exhibit A \xe2\x80\x93 Page 3 of 13\n\n    Control Objective            Control Techniques               Tests Performed                    Conclusions\n\n\n    4. Ensure that NFC\'s    a.    Established, as dictated   Observed OCFO/NFC                The control structure policies\n       application                by requirements            personnel process. Reviewed      and procedures were suitably\n       software systems           documentation and/or       OCFO/NFC procedures for the      designed to achieve the control\n       are developed to           users\xe2\x80\x99 requests, systems   selected applications.           objective specified, had been\n       minimize invalid,          checks, and edits to                                        placed in operation and\n       lost, or corrupted         verify the validity of     T&A\'s, reviewed access reports   operating effectively, except as\n       data, and to               data processed in and      for Table Management System..    noted below.\n       maintain data              interfaced between NFC\n       security and               systems.                   Selected and reviewed            OCFO/NFC officials told us\n       integrity.           b.    Restrict developer         mandated application changes     that acceptance testing is\n                                  access to data on an "as   that were implemented between    performed for all application\n                                  needed" basis.             October 1, 2003, and March 31,   changes that are classified as\n                            c.    Adhere to acceptable       2004.                            routine; however, we found\n                                  standard development                                        that OCFO/NFC was not\n                                  practices for              Randomly selected emergency      performing acceptance testing\n                                  specifications, coding,    application changes              application changes that are\n                                  security, and testing of   implemented between October      classified as mandated. (See\n                                  software at each phase     1, 2003, and March 31, 2004.     Finding No. 4.)\n                                  along the development\n                                  lifecycle.                 Interviewed responsible          We also found that\n                            d.    Adhere to NFC\xe2\x80\x99s policy     OCFO/NFC personnel.              OCFO/NFC had not\n                                  for software                                                sufficiently documented the\n                                  configuration control as                                    software testing for the\n                                  documented by ISPCS.                                        application change requests.\n                                                                                              Consequently, we could not\n                                                                                              always determine if adequate\n                                                                                              testing had occurred. (See\n                                                                                              Finding No. 4.)\n\n                                                                                              We noted that individuals at\n                                                                                              OCFO/NFC had update access\n                                                                                              to applications that was not\n                                                                                              within the scope of their job\n                                                                                              function. (See Finding No. 2.)\n\n\n\n\nUSDA/OIG-A/11401-20-FM                                                                                                   Page 21\n\x0cExhibit A \xe2\x80\x93 Office of Inspector General, Review of Selected Controls\n                                                                                                          Exhibit A \xe2\x80\x93 Page 4 of 13\n\n    Control Objective            Control Techniques               Tests Performed                      Conclusions\n\n\n    5.   Ensure that        a.    Restrict access to         Reviewed access reports for the   The control structure policies\n         entries added to         specific personnel to      Table Management System.          and procedures were suitably\n         table                    process, add, change, or                                     designed to achieve the control\n         management are           delete data in table       Made inquiries to responsible     objective specified, had been\n         valid and                management to              OCFO/NFC programmers.             placed in operation but not\n         comply with              minimize possible                                            operating effectively.\n         Treasury, OPM,           adverse impact on          Reviewed applicable\n         and other                processing.                OCFO/NFC directives.              The table management\n         applicable                                                                            application has controls in\n         Government                                                                            place to prevent inappropriate\n         regulations and                                                                       updates to the tables; however,\n         management                                                                            we found individuals at\n         policies to                                                                           OCFO/NFC had access to\n         minimize errors,                                                                      critical Payroll/Personnel\n         fraudulent                                                                            Systems that was not within\n         entries, and                                                                          the scope of their job function.\n         unauthorized                                                                          (See Finding No. 2.)\n         data.\n\n    6.   Ensure that time   a. Ensure accuracy, validity     Reviewed relevant application     The control structure policies\n         and attendance        of the information, and       documentation and made            and procedures were suitably\n         documents             compliance with               inquiries of system               designed to achieve the control\n         (T&A\xe2\x80\x99s)are            regulations.                  programmers.                      objective specified, had been\n         received and       b. Verify the receipt and                                          placed in operation and\n         processed             status of agency contact      Reviewed various                  operating effectively.\n         timely,               and running of T&A            payroll/personnel exception\n         accurately, and       reports.                      reports.\n         according to       c. Correct and reprocess\n         Government            suspended T&A\'s.              Observed OCFO/NFC\n         regulations.          Research multiple             processing of T&A\'s.\n                               employee T&As, to             Reviewed OCFO/NFC\n                               identify the block,           procedures for correcting\n                               batch, and sequence           T&A\'s and other relevant\n                               number of the                 directives. Reviewed relevant\n                               suspended T&As.               system reports.\n                               Correct duplicate T&As\n                               to ensure that each           Made inquiries to responsible\n                               employee is paid only         OCFO/NFC personnel.\n                               once for the current pay\n                               period. Establish a\n                               Special Payroll\n                               Processing System\n                               record for an\n                               indebtedness and/or\n                               death case if T&A is\n                               marked final or\n                               termination action\n                               applies.\n\n\n\n\nUSDA/OIG-A/11401-20-FM                                                                                                    Page 22\n\x0cExhibit A \xe2\x80\x93 Office of Inspector General, Review of Selected Controls\n                                                                                                           Exhibit A \xe2\x80\x93 Page 5 of 13\n\n    Control Objective             Control Techniques               Tests Performed                      Conclusions\n\n\n    7.   Ensure that         a.    Assign Form AD-343,        Reviewed Federal guidelines       The control structure policies\n         manually                  Payroll Action Requests,   regarding need for unique login   and procedures were not\n         processed salary          Document Tracking          identifiers.                      suitably designed to achieve\n         payments are              System External, Special                                     the control objective specified.\n         accurate and              Payroll Processing         Reviewed criteria for AD343\n         timely, and               System, Quick Service      authorizations.                   We found access control\n         comply with               Wires, or other requests                                     weaknesses that violate\n         regulations.              for manual payments        Compared list of Special          separation of duties controls,\n                                   promptly to unit           Payroll Process System            and excessive access that was\n                                   accounting technicians,    transactions to list of those     not needed to perform the\n                                   payroll technicians, and   authorized to process AD343s      user\xe2\x80\x99s job functions. Also, we\n                                   clerks to ensure timely    for one agency.                   found weak access controls\n                                   processing in Special                                        over OCFO/NFC\xe2\x80\x99s Download\n                                   Payroll Processing         Reviewed OCFO/NFC reports         Center. (See Finding No. 2.)\n                                   System.                    designed to identify employees\n                                                              updating their own payroll and\n                                                              personnel transactions.\n\n                                                              Made inquiries to responsible\n                                                              OCFO/NFC personnel.\n\n    8.   Ensure that new     a.    Provide comprehensive      Reviewed application              The control structure policies\n         and current               user training on           documentation for applicable      and procedures were suitably\n         clients are               applicable system          systems.                          designed to achieve the control\n         adequately                applications.                                                objective specified, had been\n         trained to                                           Made inquiries to responsible     placed in operation and were\n         effectively and                                      OCFO/NFC personnel.               operating effectively.\n         efficiently use\n         the applicable\n         NFC system,\n         including\n         electronic access\n         applications.\n\n\n\n\nUSDA/OIG-A/11401-20-FM                                                                                                     Page 23\n\x0cExhibit A \xe2\x80\x93 Office of Inspector General, Review of Selected Controls\n                                                                                                           Exhibit A \xe2\x80\x93 Page 6 of 13\n\n    Control Objective             Control Techniques                Tests Performed                     Conclusions\n\n\n    9.   Ensure that NFC     a.    Review                      Reviewed OCFO/NFC                 The control structure policies\n         systems,                  recommendations for         procedures for the selected       and procedures were suitably\n         including new             modifications to screen     applications.                     designed to achieve the control\n         and revised               designed and/or data                                          objective specified, had been\n         electronic                field names to ensure       Tested and evaluated the          placed in operation and were\n         systems, are user         ease of operations, user    software used to input            operating effectively.\n         friendly.                 friendliness, and           payroll/personnel information.\n                                   consistency with other\n                                   screens and/or systems.     Made inquiries to responsible\n                                                               OCFO/NFC personnel.\n\n                                                               Interviewed timekeepers.\n\n\n\n\n    10. Ensure               a.    Prepare IDPs in                                               The control structure policies\n        Individual                 accordance with NFC         Obtained training records for a   and procedures were suitably\n        Development                Directives.                 sample of employees with          designed to achieve the control\n        Plans (IDPs) are                                       significant security              objective specified, had been\n                             b.    Assess needs of             responsibilities.                 placed in operation and\n        properly\n                                   employees to determine                                        operating effectively.\n        developed and\n                                   training required to        Reviewed training records to\n        executed in\n                                   successfully perform        determine whether training was\n        compliance with\n                                   present duties.             adequate.\n        applicable laws,\n        regulations, and     c.    Provide employees with\n        policies.                  activities to enhance\n                                   their skills so that they\n                                   may perform and\n                                   advance to their highest\n                                   potential.\n\n\n\n\nUSDA/OIG-A/11401-20-FM                                                                                                     Page 24\n\x0cExhibit A \xe2\x80\x93 Office of Inspector General, Review of Selected Controls\n                                                                                                             Exhibit A \xe2\x80\x93 Page 7 of 13\n\n    Control Objective             Control Techniques                 Tests Performed                      Conclusions\n\n\n    11. Ensure that all      a.    Obtain appropriate           Obtained a status report and      The control structure policies\n        OCFO/NFC and               background checks or         performed an analysis to          and procedures were suitably\n        contractor                 investigations for           determine whether if progress     designed to achieve the control\n        personnel have             selected/appointed           had been made relating to the     objective specified, had been\n        the appropriate            individuals prior to their   background investigations and     placed in operation but not\n        position                   being placed in the          reinvestigations cited in the     fully operating effectively.\n        sensitivity codes,         designated position.         fiscal year 2003 General\n        clearances, and      b.    Monitor suspense dates       Controls report.                  We identified 27 high-risk\n        background                 for completed                                                  computer/information systems\n        investigations as          investigations for high-                                       positions that either did not\n        directed by                risk positions to ensure                                       have a background\n        USDA, OPM,                 that investigative                                             investigation or did not have a\n        and OMB                    actions are taken within                                       re-investigation within the\n        guidelines.                30 days of the 5-year                                          required 5-year period.\n                                   anniversary.                                                   (See Finding No. 1.)\n\n\n                             a. Control access to IS            Interviewed responsible           The control structure policies\n    12. Develop and\n                                 resources.                     OCFO/NFC personnel,               and procedures were not\n        maintain an\n        effective IS                                            reviewed rules for firewall       suitably designed to achieve\n        security program                                        system, and evaluated             the control objective specified.\n        in compliance                                           supporting documentation for\n        with OMB                                                selected rules.                   OCFO/NFC has made\n        Circular A-130,                                                                           significant improvements to\n        Departmental                                            Performed vulnerability           comply with Federal\n        Regulation (DR)                                         assessments on selected servers   regulations; however, we found\n        3140, FIPS,                                             and network devices.              that OCFO/NFC had not\n        FISMA, and                                                                                updated its directive and\n        NIST.                                                   Reviewed applicable               functional statements to clearly\n                                                                OCFO/NFC policies and             define security responsibilities\n                                                                procedures.                       after its 2002 reorganization.\n                                                                                                  Finally, OCFO/NFC had not\n                                                                                                  completed all required\n                                                                                                  background investigations for\n                                                                                                  individuals in high-risk\n                                                                                                  positions. OCFO/NFC had not\n                                                                                                  ensured that modems on its\n                                                                                                  network were adequately\n                                                                                                  tracked or properly secured,\n                                                                                                  that its firewall configurations\n                                                                                                  were appropriately maintained,\n                                                                                                  or that logs were periodically\n                                                                                                  reviewed on its Web and Unix\n                                                                                                  servers. (See Finding Nos. 1\n                                                                                                  and 3.)\n\n\n\n\nUSDA/OIG-A/11401-20-FM                                                                                                       Page 25\n\x0cExhibit A \xe2\x80\x93 Office of Inspector General, Review of Selected Controls\n                                                                                                    Exhibit A \xe2\x80\x93 Page 8 of 13\n\n    Control Objective       Control Techniques                 Tests Performed                   Conclusions\n\n\n    13. Ensure adequate   a. Develop system testing       Interviewed OCFO/NFC            The control structure policies\n        testing of new        procedures and              personnel and reviewed          and procedures were suitably\n        and modified          standards as specified in   applicable directives and       designed to achieve the control\n        applications.         NFC directives that         procedures.                     objective specified, had been\n                              include:                                                    placed in operation but were\n                          1) Testing prior to             Selected and reviewed           not operating effectively.\n                              implementation of new       application changes that were\n                              and modified                implemented between October     We found that OCFO/NFC had\n                              applications and            1, 2003, and March 31, 2004.    documented system\n                              scheduled releases.                                         requirements for 20 of the 25\n                                                          Selected and reviewed           non-emergency changes that\n                          2) Use of comprehensive\n                                                          emergency application changes   we reviewed, but had not\n                              test data and\n                                                          implemented between October     obtained user approval of these\n                              nonproductive copies of\n                                                          1, 2003, and March 31, 2004.    software requirements for any\n                              live files.\n                                                                                          of these 20 changes.\n                          3) Participation by users\n                              and other groups                                            We found that OCFO/NFC had\n                              involved with the                                           not performed acceptance\n                              application, including                                      testing for application changes\n                              preparation of test data                                    that are classified as mandated.\n                              by users.                                                   (See Finding No. 4.)\n                          4) Testing various\n                              combinations of\n                              conditions, realistic\n                              volumes, and infrequent\n                              processing.\n                          5) Testing the application\xe2\x80\x99s\n                              interface with other\n                              systems.\n                          6) Providing for review\n                              and approval of test\n                              results by users and\n                              developers prior to\n                              moving into production.\n                          7) Develop and implement\n                              acceptance testing plans\n                              in accordance with NFC\n                              standards prior to\n                              placing in production.\n                          8) Document results of\n                              acceptance tests and\n                              resolve problem areas.\n\n\n\n\nUSDA/OIG-A/11401-20-FM                                                                                               Page 26\n\x0cExhibit A \xe2\x80\x93 Office of Inspector General, Review of Selected Controls\n                                                                                                     Exhibit A \xe2\x80\x93 Page 9 of 13\n\n    Control Objective          Control Techniques             Tests Performed                     Conclusions\n\n\n    14. Ensure that       a. Establish an                Reviewed system                   The control structure policies\n        program changes      independent quality         documentation for OCFO/NFC        and procedures were suitably\n        are authorized       assurance group to          library management software       designed to achieve the control\n        and accurately       process program             and change control system.        objective specified, had been\n        implemented to       changes to ensure                                             placed in operation and were\n        reduce the           program integrity.          Interviewed responsible           operating effectively.\n        potential for     b. Develop and implement       OCFO/NFC personnel.\n        errors or            a formal procedure for\n        irregularities.      transferring new and\n                             modified application\n                             programs into\n                             production libraries.\n                          c. Produce reports of\n                             program changes and\n                             provide the reports for\n                             management review\n                             upon request.\n                          d. Maintain a history of\n                             program changes in\n                             accordance with\n                             General Services\n                             Administration retention\n                             schedule.\n    15. Ensure that       a. Maintain a program          Obtained and reviewed access      The control structure policies\n        application          library management          reports for the OCFO/NFC          and procedures were suitably\n        programs and         software system to          mainframe production program      designed to achieve the control\n        related              restrict update access to   source code, load and procedure   objective specified, had been\n        documentation        production versions of      libraries.                        placed in operation and were\n        are physically       application modules to a                                      operating effectively.\n        and logically        designated group of\n        secure.              authorized individuals.\n                          b. Deny developers update\n                             access to production\n                             programs.\n\n\n\n\nUSDA/OIG-A/11401-20-FM                                                                                               Page 27\n\x0cExhibit A \xe2\x80\x93 Office of Inspector General, Review of Selected Controls\n                                                                                                             Exhibit A \xe2\x80\x93 Page 10 of 13\n\n    Control Objective             Control Techniques                 Tests Performed                       Conclusions\n\n\n    16. Ensure that access                                   Reviewed the mainframe                 The control structure policies\n                             a. Define and implement\n        to online systems                                     security software control             and procedures were suitably\n                                 policies and procedures\n        is controlled.                                        options that impact password          designed to achieve the control\n                                 for issuing user ID and\n                                 password administration.     administration. Also, tested          objective specified, had been\n                             b. Develop security which\n                                                              selected servers for certain          placed in operation but not\n                                 restricts access to defined  password vulnerabilities.             operating effectively.\n                                 data and programs that are\n                                 necessary to perform a      Requested and obtained listings        We found individuals within\n                                 specific job function.       of user IDs from OCFO/NFC             OCFO/NFC and external to\n                                                               and selected client agencies to      OCFO/NFC with access to\n                             c.    Reports of incidents of\n                                                               determine whether user IDs           update personnel/payroll\n                                   suspected inappropriate\n                                                               were granted only to employees       applications although their\n                                   access are produced and\n                                   reviewed.\n                                                               whose job responsibilities           current job function did not\n                                                               required such access.                require access. We found\n                             d.    Monitor user activity and                                        individuals with access that\n                                   provide reports to\n                                                               Reviewed access reports for          violated separation of duty\n                                   management for inactive\n                                                               selected applications and a          controls. (See Finding No. 2.)\n                                   accounts.\n                                                               sensitive dataset file to identify\n                             e.    Provide access through      individuals granted                  We found some OCFO/NFC\n                                   secure connectivity with    inappropriate access and             staff that had access to\n                                   approved security form.     separation of duty based on          confidential data that exceeds\n                                                               their job function.                  what was required to perform\n                                                                                                    their job duties. (See Finding\n                                                               Reviewed monitoring reports          No. 2.)\n                                                                and procedures.\n                                                                                                    OCFO/NFC had not ensured\n                                                               Obtained a file of mainframe         that modems on its network\n                                                               user IDs that included the date      were adequately tracked or\n                                                               of last use and identified user      properly secured, that its\n                                                               IDs that had not been used in        firewall configurations were\n                                                               more than 150 days.                  appropriately maintained, or\n                                                                                                    that logs were periodically\n                                                               Reviewed the results of a            reviewed on its Web and Unix\n                                                               commercially available               servers. .\n                                                               software product that was used       (See Finding No. 3.)\n                                                               by OCFO/NFC to identify\n                                                               security risks posed by\n                                                               modems, compared the\n                                                               modems identified to the\n                                                               modems database, and verified\n                                                               that the identified modems were\n                                                               properly secured.\n\n                                                               Interviewed responsible\n                                                               OCFO/NFC personnel for\n                                                               selected activities and functions\n                                                               reviewed.\n\n\n\n\nUSDA/OIG-A/11401-20-FM                                                                                                         Page 28\n\x0cExhibit A \xe2\x80\x93 Office of Inspector General, Review of Selected Controls\n                                                                                                             Exhibit A \xe2\x80\x93 Page 11 of 13\n\n    Control Objective            Control Techniques                 Tests Performed                         Conclusions\n\n\n    17. Ensure that         a.    Provide access to            Reviewed monitoring reports,         The control structure policies\n        access to data is         sensitive or critical data   and applicable procedures.           and procedures were suitably\n        controlled to             only when needed for                                              designed to achieve the control\n        minimize                  processing.                  Reviewed                             objective specified, had been\n        unauthorized                                           identification/authentication for    placed in operation but were\n        access.                                                selected applications and the        not operating effectively.\n                                                               Download Center.\n                                                                                                    OCFO/NFC is not adequately\n                                                               Obtained and reviewed a copy         controlling the accesses to the\n                                                               of the files on the Download         systems we selected for\n                                                               Center.                              review. (See Finding No. 2.)\n\n                                                               Reviewed access reports for          We found some users within\n                                                               one sensitive dataset file used to   OCFO/NFC and external to\n                                                               store sensitive data when            OCFO/NFC that had update\n                                                               submitted to the OCFO/NFC            access to selected applications\n                                                               for processing.                      although their current job\n                                                                                                    function did not require such\n                                                               Interviewed responsible              access. In some instances, the\n                                                               OCFO/NFC personnel.                  access violated separation of\n                                                                                                    duty controls. (See Finding\n                                                                                                    No. 2.)\n\n                                                                                                    We found that there were\n                                                                                                    inadequate access controls to\n                                                                                                    the Download Center, which\n                                                                                                    could lead to the disclosure of\n                                                                                                    sensitive information covered\n                                                                                                    by the Privacy Act of 1974.\n                                                                                                    (See Finding No. 2.)\n\n\n\n\nUSDA/OIG-A/11401-20-FM                                                                                                         Page 29\n\x0cExhibit A \xe2\x80\x93 Office of Inspector General, Review of Selected Controls\n                                                                                                    Exhibit A \xe2\x80\x93 Page 12 of 13\n\n    Control Objective           Control Techniques          Tests Performed                       Conclusions\n\n\n    18. Ensure that        a.    Inform employees of   Reviewed OCFO/NFC                   The control structure policies\n        NFC provides             the ADP security      organization chart, security        and procedures were suitably\n        security,                program and their     directives, functional statements   designed to achieve the\n        confidentiality,         responsibilities.     and made inquiries to               control objective specified,\n        integrity, and                                 OCFO/NFC personnel to               had been placed in operation\n        availability of                                determine actual procedures in      to ensure confidentiality but\n        software and                                   place.                              not operating effectively.\n        data on\n                                                       Reviewed applicable OMB and\n        mainframe and                                                                      We found that the security\n                                                       FISMA requirements.\n        personal                                                                           responsibilities are not\n        computers.                                                                         accurately assigned because the\n                                                                                           responsibilities have not been\n                                                                                           updated to reflect\n                                                                                           organizational changes.\n                                                                                           Furthermore, security\n                                                                                           responsibilities are not clearly\n                                                                                           defined in some OCFO/NFC\n                                                                                           directives and functional\n                                                                                           statements because procedures\n                                                                                           at OFCO/NFC have not been\n                                                                                           updated to clearly delineate\n                                                                                           security functions.\n                                                                                           (See Finding No. 1.)\n\n                                                                                           We found some users within\n                                                                                           OCFO/NFC and external to\n                                                                                           OCFO/NFC that had update\n                                                                                           access to selected applications\n                                                                                           although their current job\n                                                                                           function did not require such\n                                                                                           access. In some instances, the\n                                                                                           access violated separation of\n                                                                                           duty controls. (See Finding\n                                                                                           No. 2.)\n\n\n\n\nUSDA/OIG-A/11401-20-FM                                                                                                Page 30\n\x0cExhibit A \xe2\x80\x93 Office of Inspector General, Review of Selected Controls\n                                                                                                           Exhibit A \xe2\x80\x93 Page 13 of 13\n\n    Control Objective            Control Techniques                Tests Performed                        Conclusions\n\n\n    19. Ensure that         a.    Maintain adequate           Reviewed compensating               The control structure policies\n        access to                 segregation of duties to    controls for separation of duties   and procedures were suitably\n        resources and             prevent an individual       for individuals who had access      designed to achieve the control\n        records is                from performing two or      to process transactions on one      objective specified, had placed\n        limited to                more incompatible           critical application.               in operation but were not\n        authorized                functions.                                                      operating effectively.\n        individuals, and\n        accountability                                                                            We found OCFO/NFC\n        for custody and                                                                           personnel and some of its\n        use of resources                                                                          clients had access to critical\n        is assigned and                                                                           payroll and personnel\n        maintained.                                                                               applications that exceed what\n                                                                                                  was required to perform their\n                                                                                                  job functions. In some\n                                                                                                  instances, the access provided\n                                                                                                  also violated separation of duty\n                                                                                                  controls. (See Finding No. 2.)\n\n\n    20. Ensure that         a.    Verify that access to       Reviewed data backup files.         The control structure policies\n        sensitive data            items or reports                                                and procedures were suitably\n        that contain              containing personal         Reviewed OCFO/NFC                   designed to achieve the control\n        personal                  identifiers is restricted   procedures and directives           objective specified, had been\n        identifiers are           to only authorized          relating to privacy act and         placed in operation and not\n        adequately                persons who need the        confidentiality.                    operating effectively.\n        protected in              data to perform their job\n        compliance with           functions.                  Reviewed OMB guidance               We found that some\n        the Privacy Act                                       relating to privacy.                OCFO/NFC personnel have\n        and Directive 55.                                                                         access to confidential data that\n                                                              We requested and obtained           exceeds that is required to\n                                                              listings of user IDs from           perform their job duties. (See\n                                                              OCFO/NFC and selected client        Finding No. 2.)\n                                                              agencies to determine whether\n                                                              user IDs were granted only to\n                                                              employees whose job\n                                                              responsibilities required such\n                                                              access.\n\n                                                              Made inquiries to responsible\n                                                              OCFO/NFC personnel.\n\n\n\n\nUSDA/OIG-A/11401-20-FM                                                                                                       Page 31\n\x0c'